CyberCheatsheets

OpenSSL Cheat Sheet

Cryptography toolkit for certificate inspection, TLS testing, and encoding/hashing in pentests and forensics.

Utilities & ShellscertificatescryptotlsUpdated 2026-06-02

Overview

OpenSSL handles TLS connections, X.509 certificates, and common crypto primitives (hash, encrypt, decrypt, RSA). Use for cert recon, testing weak ciphers, and decoding captured secrets.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y openssl
openssl version

Essential commands

Connect and show cert

openssl s_client -connect target.com:443 -servername target.com </dev/null 2>/dev/null | openssl x509 -noout -text

Hash file

openssl dgst -sha256 file.bin

Base64

openssl base64 -in file.bin -out file.b64
openssl base64 -d -in file.b64 -out file.bin

Common workflows

Certificate details / expiry —

echo | openssl s_client -connect 10.10.10.5:443 2>/dev/null | openssl x509 -noout -dates -subject -issuer
openssl x509 -in cert.pem -text -noout

Test TLS versions / ciphers —

openssl s_client -connect target:443 -tls1_2
openssl s_client -connect target:443 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'

nmap script alternative

nmap --script ssl-enum-ciphers -p 443 target

Generate self-signed cert (lab HTTPS) —

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
-subj "/CN=localhost"

RSA encrypt/decrypt (CTF) —

openssl rsautl -encrypt -pubin -inkey pubkey.pem -in plain.txt -out cipher.bin
openssl rsautl -decrypt -inkey private.pem -in cipher.bin -out plain.txt

PKCS#12 / convert formats —

openssl pkcs12 -in cert.pfx -out cert.pem -nodes
openssl rsa -in key.pem -pubout -out pubkey.pem

Password hashes (legacy) —

openssl passwd -1 'password'    # MD5 crypt
openssl passwd -6 'password'      # SHA-512 crypt

Flags reference

s_client -connect host:port

TLS client handshake

x509 -in FILE

Parse certificate

dgst -sha256

Hash

enc -aes-256-cbc

Symmetric encrypt

genrsa 2048

Generate RSA key

req -new

CSR generation

verify -CAfile ca.pem cert.pem

Chain validation

Tips

  • openssl s_client shows negotiated cipher — document for weak crypto findings.
  • For modern TLS audit use testssl.sh or sslyze alongside OpenSSL.
  • Never use self-signed tricks on production without authorization.
  • openssl dgst faster than sha256sum for odd algorithms (md5, sha1).

References

Related cheat sheets